<!DOCTYPE html>
<html lang="en">

<head>
	<meta charset="UTF-8">
	<meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=no">
	<meta name="keywords" content="身份验证, 漏洞" />
	<meta name="description" content="关于Nacos身份验证漏洞修复建议及部署说明" />
	<!-- 网页标签标题 -->
	<title>关于Nacos身份验证漏洞修复建议</title>
	<link rel="shortcut icon" href="https://img.alicdn.com/tfs/TB1hgJpHAPoK1RjSZKbXXX1IXXa-64-64.png"/>
	<link rel="stylesheet" href="/build/blogDetail.css" />
</head>
<body>
	<div id="root"><div class="blog-detail-page" data-reactroot=""><header class="header-container header-container-normal"><div class="header-body"><a href="/en-us/index.html"><img class="logo" src="/img/nacos_colorful.png"/></a><div class="search search-normal"><span class="icon-search"></span></div><span class="language-switch language-switch-normal">中</span><div class="header-menu"><img class="header-menu-toggle" src="/img/menu_gray.png"/><ul><li class="menu-item menu-item-normal"><a href="/en-us/index.html">HOME</a></li><li class="menu-item menu-item-normal"><a href="/en-us/docs/quick-start.html">DOCS</a></li><li class="menu-item menu-item-normal menu-item-normal-active"><a href="/en-us/blog">BLOG</a></li><li class="menu-item menu-item-normal"><a href="/en-us/community">COMMUNITY</a></li><li class="menu-item menu-item-normal"><a href="https://cn.aliyun.com/product/aliware/mse?spm=nacos-website.topbar.0.0.0">NACOS IN CLOUD</a><img class="menu-img" src="https://img.alicdn.com/tfs/TB1esl_m.T1gK0jSZFrXXcNCXXa-200-200.png"/></li><li class="menu-item menu-item-normal"><a href="http://console.nacos.io/nacos/index.html">DEMO-CONSOLE</a></li></ul></div></div></header><section class="blog-content markdown-body"><h1>关于Nacos身份验证漏洞修复建议</h1>
<p>近期Nacos社区收到关于Nacos鉴权功能通过UA绕过身份验证安全漏洞的问题。社区在1.4.1版本已进行了修复。用户可以自定义server
identity来设置服务端之间通信的安全认证，不再简单使用UA进行认证。</p>
<p>在1.4.1发布之后，立刻收到了社区安全工程师的另一个使用相同语意的特殊url绕过身份验证的漏洞，于是社区立刻对其进行了修复，并进行了1.4.1版本的hotfix。</p>
<p>请用户尽快升级至最新的1.4.1版本（2021.01.15 release），并根据文档进行升级及修复。</p>
<p>十分抱歉给广大Nacos用户造成了困扰和问题。</p>
<p><a href="https://github.com/alibaba/nacos/releases/tag/1.4.1">download page</a>.</p>
<p><a href="https://nacos.io/zh-cn/docs/auth.html">document</a>.</p>
<h1>关于Nacos的部署建议</h1>
<p>Nacos 定义为一个应用服务发现和配置管理中间件服务，这类应用一般应该部署于<strong>内部网络环境</strong>，因此不建议用户将Nacos暴露在<strong>公网环境</strong>。</p>
<p>即使升级到1.4.1版本，也请不要暴露在<strong>公网环境</strong>使用。</p>
<h1>感谢社区</h1>
<p>在此首先感谢本次为Nacos提出安全问题的工程师，感谢Nacos社区的大家对Nacos的意见，讨论和鞭策。</p>
<p>Nacos的发展离不开社区，希望社区能够有更多优秀的工程师加入，参与共建，让Nacos变得更好更安全。</p>
<p>最后，再次为本次的漏洞问题给大家造成的困扰和麻烦道歉。感谢大家的谅解与宽容。</p>
<h1>关于安全漏洞的报告</h1>
<p>由于安全漏洞的issue比较特殊，希望后续社区的安全工程师能够通过<a href="https://security.alibaba.com">ASRC（Alibaba Security Response Center阿里安全响应中心）</a> 告知漏洞。</p>
</section><footer class="footer-container"><div class="footer-body"><img src="/img/nacos_gray.png"/><div class="cols-container"><div class="col col-12"><h3>Vision</h3><p>By providing an easy-to-use service infrastructure such as dynamic service discovery, service configuration, service sharing and management and etc., Nacos help users better construct, deliver and manage their own service platform, reuse and composite business service faster and deliver value of business innovation more quickly so as to win market for users in the era of cloud native and in all cloud environments, such as private, mixed, or public clouds.</p></div><div class="col col-6"><dl><dt>Documentation</dt><dd><a href="/en-us/docs/what-is-nacos.html" target="_self">Overview</a></dd><dd><a href="/en-us/docs/quick-start.html" target="_self">Quick start</a></dd><dd><a href="/en-us/docs/contributing.html" target="_self">Developer guide</a></dd></dl></div><div class="col col-6"><dl><dt>Resources</dt><dd><a href="/en-us/community/index.html" target="_self">Community</a></dd><dd><a href="https://cn.aliyun.com/product/aliware/mse?spm=nacos-website.topbar.0.0.0" target="_self">Cloud Service MSE</a></dd><dd><a href="https://www.aliyun.com/product/edas?source_type=nacos_pc_20181219" target="_self">Cloud Service EDAS</a></dd><dd><a href="https://www.aliyun.com/product/ahas?source_type=nacos_pc_20190225" target="_self">Cloud Service AHAS</a></dd></dl></div></div><div class="copyright"><span>@ 2018 The Nacos Authors | An Alibaba Middleware (Aliware) Project</span></div></div></footer></div></div>
	<script src="https://f.alicdn.com/react/15.4.1/react-with-addons.min.js"></script>
	<script src="https://f.alicdn.com/react/15.4.1/react-dom.min.js"></script>
	<script>
		window.rootPath = '';
  </script>
	<script src="/build/blogDetail.js"></script>
</body>
</html>